Re: [http-auth] Evaluation Criteria
Yoav Nir <ynir@checkpoint.com> Wed, 17 July 2013 21:43 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 194C221F9FBD for <http-auth@ietfa.amsl.com>; Wed, 17 Jul 2013 14:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.564
X-Spam-Level:
X-Spam-Status: No, score=-10.564 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEhDbU6C2fAB for <http-auth@ietfa.amsl.com>; Wed, 17 Jul 2013 14:43:39 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id D76F221F9F5E for <http-auth@ietf.org>; Wed, 17 Jul 2013 14:43:38 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r6HLhZ3D012111; Thu, 18 Jul 2013 00:43:35 +0300
X-CheckPoint: {51E71007-10-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Thu, 18 Jul 2013 00:43:34 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: Evaluation Criteria
Thread-Index: AQHOgzOsPgmnOVj3SUWlKbLepGorM5lpNKyA
Date: Wed, 17 Jul 2013 21:43:34 +0000
Message-ID: <5484C651-7532-4DFE-B7FE-49C5685B612E@checkpoint.com>
References: <36A66E35-C62E-44CA-8A76-E289C1B21FCA@checkpoint.com> <51E6FEDF.2030003@cs.tcd.ie> <06054FD8-CF57-4BB0-B638-F1F50FC20A78@checkpoint.com> <51E70ADE.408@cs.tcd.ie>
In-Reply-To: <51E70ADE.408@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.46]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 11c1b6d827358f45a83246a6f0d08d14433a751ce7
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <3F03E87969AA9148892853FE7FCB0BA6@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Evaluation Criteria
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 21:43:45 -0000
On Jul 18, 2013, at 12:21 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >> I think it's a good idea to start this discussion now. So as a >> starting point, how about these: >> >> * Security (obviously - look for vulnerabilities or bad practices) >> >> * Implementation pitfalls - anything that will make implementing this >> unnecessarily difficult >> >> * unstated assumptions or requirements - some examples: * if the >> method requires a file with cleartext passwords on the web server, >> that's fine or not, but it should be stated. * If the method requires >> TLS, that should be stated. * If the web server needs access to the >> TLS state (for extractor, or data from a user certificate), that >> should be stated. * If either or both sides need a good random >> source, that should be stated. * If implementing this requires some >> UI elements in the client, that should be stated. >> >> * Interaction with infrastructure - can this work with AAA protocols? >> Can you use this for OpenID/WebID/OAuth ? >> >> * Performance - does this proposal have extraordinary resource >> (CPU/memory/bandwidth) requirements? Per authentication? Per >> logged-in user? Per defined user >> >> This is by no means a closed list, and we'd be very happy to get >> feedback and updates to this list. > > * Vulnerable to password-verifier DB theft... or not? :-) I hope this falls under security, no? > If the above are used as ways to prompt better review that > sounds like a fine idea. To be clear, there is no check list. I don't think we should advance a clearly broken method. But if a method is practical and secure only under a set of conditions, it can advance as long as it states such conditions. And to answer another question that I got in private email: these criteria apply to the experimental drafts: HOBA, Mutual, Scram, and RestAuth. Our charter calls for standards=track for the Basic and Digest documents, plus the protocols (before the update) have over 20 years of deployment experience, so they will be evaluated just like any other IETF draft. Yoav
- Re: [http-auth] Draft Agenda for Berlin Stephen Farrell
- [http-auth] Draft Agenda for Berlin Yoav Nir
- [http-auth] Evaluation Criteria (was: Draft Agend… Yoav Nir
- Re: [http-auth] Evaluation Criteria Stephen Farrell
- Re: [http-auth] Evaluation Criteria Yoav Nir
- Re: [http-auth] Draft Agenda for Berlin Martin J. Dürst